What to do if Google warns of state-sponsored attack

Some journalists continue to receive the warning from Google
about state-sponsored attacks that we mentioned
last week. The message appears on top of logged-in services like Gmail.
Occasionally it will disappear for a few hours and then reappear, but there is
no way to remove it.

The warning can be disturbing, especially as the company
does not provide much information, such as why it suspects such an origin for a
hacking attack. Instead, it gives a link to its support
pages explaining some general ways to increase the security of your Google
account.

Faced with the news that an entire nation-state is
apparently intent on hacking your computer, taking care to not open strange
email attachments and watching a video about strong passwords may hardly seem
sufficient.

What follows is a little more explanation, based on CPJ's
experiences with journalist information security, about what Google may be
seeing, and how you might defend yourself.

What does a state-sponsored
attack look like?
In Syria, citizen
reporters get sent fake video messages on Skype with malicious software
attached. Hong Kong websites used by reporters are
hacked and dangerous payloads inserted so that they might be downloaded by unsuspecting
visitors.

These attacks may be orchestrated by states, but the
techniques are similar to those used by petty Internet criminals, who attempt
to take control of Internet users' computers via mass fraudulent emails
("phishing") or constructing fake websites masquerading as
legitimate.

The difference between suspected state-sponsored cybercrime
and this constant background cybercrime is not the sophistication or success of
the attacks, but the targets. Some attacks are aimed at a small list of notable
users--say, Tibetan activists, foreign correspondents in Shanghai, and Western
diplomats; Iranian government officials and nuclear equipment engineers--rather
than the scattergun lists of millions that most commercial cybercrime exploit.

Google's warnings appear to be based on their systems for
detecting run-of-the-mill cyberattacks. The company says,
"...our detailed analysis--as well as victim reports--strongly suggest the
involvement of states or groups that are state-sponsored" and warns users
against fake websites and attachments in emails. Given this, our best guess is
that Google is deducing a state attack partly because of who is being targeted.

While the targeting is narrower than with phishing mails
that are spammed to millions of addresses, these state-sponsored attacks are
still being launched against hundreds or thousands rather than dozens of users.
We've heard many reports of these warning signs. If your Google account is
flagged, it's probably because you've ended up on some fairly large target
list.

Internet self-defense
In terms of defending yourself, it doesn't really matter
whether these attacks are state-sponsored or not. The tactics of the attacker
remain the same: repeated attempts to guess passwords and psychological tricks
to fool users into entering their passwords on fake websites or opening
dangerous attachments.

Everyday computer security advice, such as Google's, is just
as valid against a group of opportunistic state-led hackers aiming at
independent journalists or activists as it is against a group targeting the
average consumer.

One of the best ways you can defend against all of these
attacks is to choose a stronger password. Another is to regularly update your
computers' software to protect against security flaws. Finally, a specific
technique against these attacks on Google's services is to use two-step
verification. Two step verification means that when you log in with your
password, Google will double-check to ensure that you are who you say you are.
It will text you an additional password to enter, or ask you for a number that
only you know, produced by a local app on your mobile phone. Google's info
page on the attacks encourages all of these strategies.

The future
State-sponsored attacks can also be indicated by the unique
resources exploited by the attacker. In the case of the "Flame"
malware, which is suspected
of being developed by a major Western power, the malicious software is
unusually complex, and includes techniques that appear to have come from
detailed mathematical research. In Iran and Tunisia, the governments used their
control of the local telecommunications systems in attacks against domestic
users' privacy.

In these cases, governments are not just using the
strategies of petty Internet criminals. They are marshaling their unique
state-owned resources against individuals.

There's no indication that Google is detecting such
heavyweight attacks; its advice would be very different if it were. But those
who have received its warning message may face such attacks in the future.

If and when this happens, standard consumer advice may not
be enough. To give a concrete example: hackers have already bypassed
two-factor authentication systems by simultaneously obtaining the standard
password, then taking control of the victim's phone line as well.
State-sponsored attackers with access to the mobile phone network could, of
course, do the same.

Journalists we spoke to were already aware of these risks.
Some who had received Google's warning were concerned that Google's two-factor
authentication required them to give Google their mobile phone number online,
and refused to do so. (While Google does oblige you to enter your phone number
in their two-factor setup procedure, you can remove the number after setup, if you
set your smartphone to generate its own passwords locally.)

These reporters' caution is understandable. As we say in
CPJ's Journalist
Security Guide, your best defense is your professional knowledge of
potential attackers.

Google's general warning about state attacks is a useful
clue as to who may be interested in you, and for now, the company's security
advice is good. But it's always worth thinking about the specifics of your own
situation, and taking extra precautions.

While Google and other "cloud" services would
never instruct you to do so, you may wish to delete confidential data held in
online accounts, or even close down a targeted account entirely. You also might
want to compartmentalize data by keeping it offline, or use separate accounts
on separate computers. Think about how the attacker might have obtained enough
information to target your account. Do they just know your email address? Have
your colleagues been similarly targeted? Discuss with others what you've
learned, and share advice.

Above all, don't feel too singled out. There are a lot of
people seeing Google's warning. If you haven't already considered that you are
attracting the attention of the local authorities, it's a useful new
indication. But most journalists already know they are on a government list.
Google's warning should remind us to do online what good journalists have
always done: be careful about what you say, and what information you keep or
hand out to third parties--including services like Google.

Comments

I am a strong supporter of 2FA, and my advice is; if you haven’t yet taken advantage of 2-step verification offered, I’d encourage you to take a moment today and do that. I have not had any issues with giving them my mobile number as the some want to claim. You are not going to find a more secure and easier user experience anywhere. So activating the two-Factor Authentication technology where you can telesign into your account by entering a one-time PIN code, is worth the time it takes to set it up and have the confidence that your account won't get hacked and your personal information isn't up for grabs.